There are either too many possible answers, or good answers would be too long for this format. Please add details to narrow the answer set or to isolate an issue that can be answered in a few paragraphs.
If this question can be reworded to fit the rules in the help center, please edit the question.

I think antiviruses must access the full memory isn't?
–
user2567Jan 2 '11 at 11:46

4 Answers
4

It is possible, but you may run into a few problems. For starters, are you going to use signiture based detections as the method of detecting malicious files? How will you update these? Modern AV applications have literally 1000s of these signitures used for detections that are updated daily.

Also, I'd imagine the actual process of scanning each file and checking it against each file on the system would take a long time. Most AV applications nowadays use whitelisting or hueristic based scanning to reduce scan times. Your application may also be limited to 'On Demand Scanning' (user manually kicks off a scan) with no support for 'On Access Scanning' (scanning a file immediately once it is invoked).

Finally, things like boot sector scanning and detection of rootkits may not be possible.

And further, those anti-virus programs that do live monitoring (eg scanning an EXE when it is run) have to poke very low into the OS to grab the file and scan it before it is actually loaded into memory and executed. This requires some pretty low level stuff, and I suspect that things like c# [interpreted, high level, and some distance away from the guts of the OS] will struggle. Not neccessarily impossible, but certainly difficult.
–
quickly_nowJan 2 '11 at 9:05

2

@quickly_now: C# is not interpreted, it is compliled to an intermediate language (IL) that is then JIT compiled to native at load time (this is how Java now works -- initially the JVM intermediate language was interpreted). However the requirement for a runtime system never designed for kernel use blocks its use for live monitoring as you say.
–
RichardJan 2 '11 at 9:49

1

@dan_waterworth - just take Perl programs for example. They look encrypted most of the time ;-)
–
RookJan 2 '11 at 20:10

First of all you need to understand how the viruses behave. The programming of the anti-virus GUI is not a complex task and can be written using any language, but getting the definitions of hundreds of thousands of virus' is a very big task. And, as it was already mentioned, you should write a smart and fast pattern matching